Solved: How to rest API to get results of a scheduled repo...

bhjohns · ‎03-02-2022

Hello. I know there have been a few posts on this topic, but I've been messing with it most of the day and the other posts weren't able to help me reach a solution. Hoping someone can provide some guidance.

I'm looking to pull some aggregate information out of Splunk via API requests but wanted to pre-build the data set using a scheduled report in Splunk so that the API request will return faster just pulling the results of the last run vs running the search itself before returning results.

In the UI I've created a report named test. I've tried a few different schedules and it ran twice earlier today, but at the moment I have it on the cron schedule of 0 1 * * 4 (1 on Thursdays).

Via the API I can fetch the saved report named test like this:

https://SPLUNKURL:8089/services/scheduled/views/test

but no matter what schedule I set or modify in the UI, the results always show

cron_schedule	0 6 * * 1
is_scheduled	0

with the same results when requesting

https://SPLUNKURL:8089/servicesNS/APP/search/scheduled/views/_ScheduledView__test

and when I try

https://SPLUNKURL:8089/services/scheduled/views/test/history

I simply receive

<response>
<messages>
<msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg>
</messages>
</response>

even though I know it ran twice in the last day and I can see the results in the UI. Similarly, I tried updating the schedule via the API with

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/scheduled/views/test/reschedule/' --data schedule_time=2022-03-03T04:00:01Z

and I get the same result

<response>
  <messages>
    <msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg>
  </messages>
</response>

Am I missing something? I see the scheduled view and it's scheduled in the UI but I can't figure out any way to see or access the schedule or history via the API. Hoping someone can shed some light on things as it's not making sense to me at the moment. Also if it's helpful I checked and I believe our Splunk server version is 6.6.7

bhjohns · ‎03-22-2022

In case anyone runs into this same issue. Still haven't determined why the path being queried wasn't working, but we were able to find two different workarounds. The first was to modify the endpoint we were hitting to:

https://SPLUNKURL:8089/servicesNS/nobody/cet/saved/searches/test/history

which successfully returned results and we could use the sids that were returned to query the results via

https://SPLUNKURL:8089/servicesNS/nobody/APP/search/jobs/SID/results

Alternatively, we found that we were able to pull the results directly with an API search query using loadjob like this:

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search=|%20loadjob%20savedsearch="USER:APP:test"&output_mode=json

View solution in original post

bhjohns · ‎03-22-2022

In case anyone runs into this same issue. Still haven't determined why the path being queried wasn't working, but we were able to find two different workarounds. The first was to modify the endpoint we were hitting to:

https://SPLUNKURL:8089/servicesNS/nobody/cet/saved/searches/test/history

which successfully returned results and we could use the sids that were returned to query the results via

https://SPLUNKURL:8089/servicesNS/nobody/APP/search/jobs/SID/results

Alternatively, we found that we were able to pull the results directly with an API search query using loadjob like this:

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search=|%20loadjob%20savedsearch="USER:APP:test"&output_mode=json

How to rest API to get results of a scheduled report?

Other

saved search

scheduled search

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]